package io.confluent.rbacapi.services;

import com.fasterxml.jackson.core.type.TypeReference;
import com.google.common.collect.ImmutableSet;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;
import utils.MdsJsonUtil;
import utils.RolesTestUtils;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/rbacapi/services/ManagedRoleBindingsBuilderTest.class */
public class ManagedRoleBindingsBuilderTest {
    private static final KafkaPrincipal USER_1 = SecurityUtils.parseKafkaPrincipal("User:u1");
    private static final KafkaPrincipal USER_2 = SecurityUtils.parseKafkaPrincipal("User:u2");
    private static final KafkaPrincipal USER_3 = SecurityUtils.parseKafkaPrincipal("User:u3");
    private static final Scope SCOPE = Scope.kafkaClusterScope("k1");
    private static final ResourceType TOPIC = new ResourceType("Topic");
    private static final String DEFAULT_BINDING_SCOPES = "{\"root\": {\"organization\": {\"environment\": { \"cloud-cluster\": { \"cluster\": {}}}}}}";
    private ManagedRoleBindingsBuilder managedRoleBindingsBuilder;

    @Mock
    private AuthCache authCache;

    @Mock
    private ClusterPermissionsBuilder clusterPermissionsBuilder;

    @Mock
    private ClusterPermissions clusterPermissions;

    @Before
    public void setUp() {
        this.managedRoleBindingsBuilder = new ManagedRoleBindingsBuilder(this.authCache, this.clusterPermissionsBuilder);
        Mockito.when(this.authCache.rbacRoles()).thenReturn(new RbacRoles(Arrays.asList(RolesTestUtils.SYSTEM_ADMIN_ROLE, RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.CLUSTER_ADMIN_ROLE, RolesTestUtils.RESOURCE_OWNER_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE, RolesTestUtils.ORG_RESOURCE_OWNER_ROLE, RolesTestUtils.ENV_RESOURCE_OWNER_ROLE), bindingScopes(DEFAULT_BINDING_SCOPES)));
        Mockito.when(this.clusterPermissionsBuilder.build((Map) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (ResourceType) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any())).thenReturn(this.clusterPermissions);
    }

    @Test
    public void testReturnEmptyManagedRoleBindingsWhenRoleBindingsForScopeDoNotExist() {
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}))).thenReturn(Collections.emptySet());
        ManagedRoleBindings build = this.managedRoleBindingsBuilder.build(SCOPE, USER_1, TOPIC);
        Assert.assertEquals(0L, build.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build.getResourceRoleBindings().size());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}));
    }

    @Test
    public void testSkipRoleBindingsWithUnknownRoleNames() {
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, "UnknownRole", SCOPE, Collections.emptySet())));
        ManagedRoleBindings build = this.managedRoleBindingsBuilder.build(SCOPE, USER_1, TOPIC);
        Assert.assertEquals(0L, build.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build.getResourceRoleBindings().size());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}));
    }

    @Test
    public void testRoleWithResourceTypeAllCanViewAndModifyClusterRoleBindings() {
        ManagedRoleBindingsBuilder managedRoleBindingsBuilder = new ManagedRoleBindingsBuilder(this.authCache);
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.SYSTEM_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_2, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_3, RolesTestUtils.CLUSTER_ADMIN_ROLE.name(), SCOPE, Collections.emptySet())));
        ManagedRoleBindings build = managedRoleBindingsBuilder.build(SCOPE, USER_1, ResourceType.ALL);
        ManagedRoleBindings build2 = managedRoleBindingsBuilder.build(SCOPE, USER_2, ResourceType.ALL);
        ManagedRoleBindings build3 = managedRoleBindingsBuilder.build(SCOPE, USER_3, ResourceType.ALL);
        Assert.assertEquals(3L, build.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build.getResourceRoleBindings().size());
        Assert.assertEquals(1L, ((List) build.getClusterRoleBindings().get(USER_1)).size());
        Assert.assertEquals(1L, ((List) build.getClusterRoleBindings().get(USER_2)).size());
        Assert.assertEquals(1L, ((List) build.getClusterRoleBindings().get(USER_3)).size());
        Assert.assertEquals(true, Boolean.valueOf(((List) build.getClusterRoleBindings().get(USER_1)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.SYSTEM_ADMIN_ROLE.name(), true))));
        Assert.assertEquals(true, Boolean.valueOf(((List) build.getClusterRoleBindings().get(USER_2)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.SECURITY_ADMIN_ROLE.name(), true))));
        Assert.assertEquals(true, Boolean.valueOf(((List) build.getClusterRoleBindings().get(USER_3)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.CLUSTER_ADMIN_ROLE.name(), true))));
        Assert.assertEquals(3L, build2.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build2.getResourceRoleBindings().size());
        Assert.assertEquals(1L, ((List) build2.getClusterRoleBindings().get(USER_1)).size());
        Assert.assertEquals(1L, ((List) build2.getClusterRoleBindings().get(USER_2)).size());
        Assert.assertEquals(1L, ((List) build2.getClusterRoleBindings().get(USER_3)).size());
        Assert.assertEquals(true, Boolean.valueOf(((List) build2.getClusterRoleBindings().get(USER_1)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.SYSTEM_ADMIN_ROLE.name(), false))));
        Assert.assertEquals(true, Boolean.valueOf(((List) build2.getClusterRoleBindings().get(USER_2)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.SECURITY_ADMIN_ROLE.name(), false))));
        Assert.assertEquals(true, Boolean.valueOf(((List) build2.getClusterRoleBindings().get(USER_3)).contains(new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.CLUSTER_ADMIN_ROLE.name(), false))));
        Assert.assertEquals(0L, build3.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build3.getResourceRoleBindings().size());
    }

    @Test
    public void testResourceOwnerOnLiteralTopicCanViewRoleBindingsWithSameLiteralTopic() {
        ManagedRoleBindingsBuilder managedRoleBindingsBuilder = new ManagedRoleBindingsBuilder(this.authCache);
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{SCOPE}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, Collections.singleton(literal("Topic", "t1"))), new RoleBinding(USER_2, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, Collections.singleton(literal("Topic", "t1")))));
        ManagedRoleBindings build = managedRoleBindingsBuilder.build(SCOPE, USER_1, ResourceType.ALL);
        ManagedRoleBindings build2 = managedRoleBindingsBuilder.build(SCOPE, USER_2, ResourceType.ALL);
        Assert.assertEquals(0L, build.getClusterRoleBindings().size());
        Assert.assertEquals(2L, build.getResourceRoleBindings().size());
        Assert.assertEquals(1L, ((List) build.getResourceRoleBindings().get(USER_1)).size());
        Assert.assertEquals(new ManagedRoleBindings.ManagedResourceBinding(RolesTestUtils.RESOURCE_OWNER_ROLE.name(), literal("Topic", "t1"), true), ((List) build.getResourceRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(1L, ((List) build.getResourceRoleBindings().get(USER_2)).size());
        Assert.assertEquals(new ManagedRoleBindings.ManagedResourceBinding(RolesTestUtils.DEVELOPER_READ_ROLE.name(), literal("Topic", "t1"), true), ((List) build.getResourceRoleBindings().get(USER_2)).get(0));
        Assert.assertEquals(0L, build2.getResourceRoleBindings().size());
    }

    @Test
    public void testHierarchicalScopeCluster() {
        Scope build = new Scope.Builder(new String[]{"organization=org"}).build();
        Scope build2 = new Scope.Builder(new String[]{"organization=org", "environment=env1"}).build();
        Scope build3 = new Scope.Builder(new String[]{"organization=org", "environment=env1", "cloud-cluster=cluster1"}).build();
        ManagedRoleBindingsBuilder managedRoleBindingsBuilder = new ManagedRoleBindingsBuilder(this.authCache);
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{build}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build, Collections.emptyList())));
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{build, build2}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build, Collections.emptyList()), new RoleBinding(USER_2, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build2, Collections.emptyList())));
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{build, build2, build3}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build, Collections.emptyList()), new RoleBinding(USER_2, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build2, Collections.emptyList()), new RoleBinding(USER_3, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build3, Collections.emptyList())));
        ManagedRoleBindings build4 = managedRoleBindingsBuilder.build(build, USER_1, ResourceType.ALL);
        ManagedRoleBindings build5 = managedRoleBindingsBuilder.build(build, USER_2, ResourceType.ALL);
        ManagedRoleBindings build6 = managedRoleBindingsBuilder.build(build, USER_3, ResourceType.ALL);
        Assert.assertEquals(1L, build4.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build4.getResourceRoleBindings().size());
        Assert.assertEquals(1L, ((List) build4.getClusterRoleBindings().get(USER_1)).size());
        ManagedRoleBindings.ManagedClusterBinding managedClusterBinding = new ManagedRoleBindings.ManagedClusterBinding(RolesTestUtils.SECURITY_ADMIN_ROLE.name(), false);
        Assert.assertEquals(managedClusterBinding, ((List) build4.getClusterRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(0L, build5.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build6.getClusterRoleBindings().size());
        ManagedRoleBindings build7 = managedRoleBindingsBuilder.build(build2, USER_1, ResourceType.ALL);
        ManagedRoleBindings build8 = managedRoleBindingsBuilder.build(build2, USER_2, ResourceType.ALL);
        ManagedRoleBindings build9 = managedRoleBindingsBuilder.build(build2, USER_3, ResourceType.ALL);
        Assert.assertEquals(2L, build7.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build7.getResourceRoleBindings().size());
        Assert.assertEquals(2L, build8.getClusterRoleBindings().size());
        Assert.assertEquals(managedClusterBinding, ((List) build8.getClusterRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(managedClusterBinding, ((List) build8.getClusterRoleBindings().get(USER_2)).get(0));
        Assert.assertEquals(0L, build9.getClusterRoleBindings().size());
        ManagedRoleBindings build10 = managedRoleBindingsBuilder.build(build3, USER_1, ResourceType.ALL);
        ManagedRoleBindings build11 = managedRoleBindingsBuilder.build(build3, USER_2, ResourceType.ALL);
        ManagedRoleBindings build12 = managedRoleBindingsBuilder.build(build3, USER_3, ResourceType.ALL);
        Assert.assertEquals(3L, build10.getClusterRoleBindings().size());
        Assert.assertEquals(0L, build10.getResourceRoleBindings().size());
        Assert.assertEquals(3L, build11.getClusterRoleBindings().size());
        Assert.assertEquals(managedClusterBinding, ((List) build11.getClusterRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(managedClusterBinding, ((List) build11.getClusterRoleBindings().get(USER_2)).get(0));
        Assert.assertEquals(managedClusterBinding, ((List) build11.getClusterRoleBindings().get(USER_3)).get(0));
        Assert.assertEquals(3L, build12.getClusterRoleBindings().size());
    }

    @Test
    public void testHierarchicalScopeResources() {
        Scope build = new Scope.Builder(new String[]{"organization=org"}).build();
        Scope build2 = new Scope.Builder(new String[]{"organization=org", "environment=env1"}).build();
        Scope build3 = new Scope.Builder(new String[]{"organization=org", "environment=env1", "cloud-cluster=lkc-1"}).build();
        Scope build4 = new Scope.Builder(new String[]{"organization=org", "environment=env1", "cloud-cluster=lkc-1"}).withKafkaCluster("lkc-1").build();
        ManagedRoleBindingsBuilder managedRoleBindingsBuilder = new ManagedRoleBindingsBuilder(this.authCache);
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{build, build2}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.ORG_RESOURCE_OWNER_ROLE.name(), build, Collections.singleton(literal("Topic", "t1"))), new RoleBinding(USER_2, RolesTestUtils.ENV_RESOURCE_OWNER_ROLE.name(), build2, Collections.singleton(literal("Topic", "t1")))));
        Mockito.when(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{build, build2, build3, build4}))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.ORG_RESOURCE_OWNER_ROLE.name(), build, Collections.singleton(literal("Topic", "t1"))), new RoleBinding(USER_2, RolesTestUtils.ENV_RESOURCE_OWNER_ROLE.name(), build2, Collections.singleton(literal("Topic", "t1"))), new RoleBinding(USER_3, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), build4, Collections.singleton(literal("Topic", "t1")))));
        ManagedRoleBindings.ManagedResourceBinding managedResourceBinding = new ManagedRoleBindings.ManagedResourceBinding(RolesTestUtils.ORG_RESOURCE_OWNER_ROLE.name(), literal("Topic", "t1"), true);
        ManagedRoleBindings.ManagedResourceBinding managedResourceBinding2 = new ManagedRoleBindings.ManagedResourceBinding(RolesTestUtils.ENV_RESOURCE_OWNER_ROLE.name(), literal("Topic", "t1"), true);
        ManagedRoleBindings build5 = managedRoleBindingsBuilder.build(build2, USER_1, new ResourceType("Topic"));
        ManagedRoleBindings build6 = managedRoleBindingsBuilder.build(build2, USER_2, new ResourceType("Topic"));
        ManagedRoleBindings build7 = managedRoleBindingsBuilder.build(build2, USER_3, new ResourceType("Topic"));
        Assert.assertEquals(0L, build5.getClusterRoleBindings().size());
        Assert.assertEquals(2L, build5.getResourceRoleBindings().size());
        Assert.assertEquals(2L, build6.getResourceRoleBindings().size());
        Assert.assertEquals(managedResourceBinding, ((List) build6.getResourceRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(managedResourceBinding2, ((List) build6.getResourceRoleBindings().get(USER_2)).get(0));
        Assert.assertEquals(0L, build7.getResourceRoleBindings().size());
        ManagedRoleBindings build8 = managedRoleBindingsBuilder.build(build4, USER_1, new ResourceType("Topic"));
        ManagedRoleBindings build9 = managedRoleBindingsBuilder.build(build4, USER_2, new ResourceType("Topic"));
        ManagedRoleBindings build10 = managedRoleBindingsBuilder.build(build4, USER_3, new ResourceType("Topic"));
        Assert.assertEquals(0L, build8.getClusterRoleBindings().size());
        Assert.assertEquals(3L, build8.getResourceRoleBindings().size());
        Assert.assertEquals(3L, build9.getResourceRoleBindings().size());
        Assert.assertEquals(3L, build10.getResourceRoleBindings().size());
        Assert.assertEquals(managedResourceBinding, ((List) build10.getResourceRoleBindings().get(USER_1)).get(0));
        Assert.assertEquals(managedResourceBinding2, ((List) build10.getResourceRoleBindings().get(USER_2)).get(0));
        Assert.assertEquals(new ManagedRoleBindings.ManagedResourceBinding(RolesTestUtils.RESOURCE_OWNER_ROLE.name(), literal("Topic", "t1"), true), ((List) build10.getResourceRoleBindings().get(USER_3)).get(0));
    }

    private ResourcePattern literal(String str, String str2) {
        return new ResourcePattern(str, str2, PatternType.LITERAL);
    }

    private LinkedHashMap<String, Object> bindingScopes(String str) {
        try {
            return (LinkedHashMap) MdsJsonUtil.deserializeJson(str, new TypeReference<LinkedHashMap>() { // from class: io.confluent.rbacapi.services.ManagedRoleBindingsBuilderTest.1
            });
        } catch (IOException e) {
            return null;
        }
    }
}
